Proper Method for Volatile Media Sanitisation
Turn off power to the storage device for 10 minutes to fully clear data.
🏛️ Framework
ASD Information Security Manual (ISM)
🧭 Control effect
Preventative
🔐 Classifications
NC, OS, P, S, TS
🗓️ ISM last updated
Nov 2021
✏️ Control Stack last updated
19 Mar 2026
🎯 E8 maturity levels
N/A
Volatile media is sanitised by removing its power for at least 10 minutes.
Source: ASD Information Security Manual (ISM)
Plain language
Volatile media, like computer memory, only holds data while it's powered on. This control ensures you turn off power for at least 10 minutes to completely erase any data. If you skip this step, sensitive information could remain and fall into the wrong hands, risking privacy breaches or data leaks.
Why it matters
If power is not removed for at least 10 minutes, volatile media may retain data and enable exposure of residual memory contents.
Operational notes
Ensure volatile media is powered off for at least 10 minutes and record the start/finish times to confirm sanitisation has occurred.
Implementation tips
- IT staff should be responsible for powering down devices: To properly clear volatile media, ensure that computers or devices are turned off completely for at least 10 minutes. This can be done by powering off through the operating system and unplugging from power sources to ensure data is purged.
- System owners should document the shutdown process: Create a procedure document outlining how and when devices should be powered down for data sanitisation. Distribute these procedures in staff meetings or via internal communications to ensure everyone understands the process.
- Managers should schedule regular checks: Set up a routine check to ensure that the procedure to turn off devices for 10 minutes is followed consistently. This can be done through random spot checks or integrating it into weekly maintenance tasks.
- Human Resources should inform new employees: During onboarding, include a section on data handling and device use that covers the importance of this control. Make sure new joiners understand the policy and its role in protecting sensitive data.
- Procurement should coordinate with IT for disposal: When removing or recycling devices, make sure there’s a coordinate plan for powering them down properly. Inform the recycling vendor about this requirement to prevent any data from remaining on the device.
Audit / evidence tips
-
Ask: the written procedure for sanitising volatile media: Verify that the document includes steps for shutting down the devices and the importance of the 10-minute rule
Good: includes clear instructions and the rationale behind them, showing the procedure has been reviewed and authorised
-
Ask: them to describe the steps they take to ensure the media is properly sanitised
Good: includes knowing the 10-minute rule, when they carry it out, and how they verify it’s done correctly
-
Ask: if data handling and device shutdown procedures are part of the onboarding process
Good: confirmation includes details of training materials or sessions and feedback from new employees acknowledging understanding
Cross-framework mappings
How ISM-0351 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| Partially meets (3) | ||
| Annex A 7.10 | ISM-0351 requires volatile media to be sanitised by removing power for at least 10 minutes to clear residual data | |
| Annex A 7.14 | ISM-0351 requires volatile media to be sanitised by removing power for at least 10 minutes | |
| Annex A 8.10 | ISM-0351 requires sanitisation of volatile media by removing power for at least 10 minutes | |